[Help-gnutls] Re: windows startup still slow -- what to do?

Simon Josefsson simon at josefsson.org
Tue Sep 18 10:12:45 CEST 2007

"Evan Martin" <martine at danga.com> writes:

> Hello,
> I've been [reluctantly] porting some software from Linux to Windows
> and I was happy to discover that GnuTLS had a nice Windows installer.
> After getting things mostly working, I started looking into why
> startup was so slow and discovered that gnutls_global_init() takes
> maybe five seconds to run on this machine.  (Laptop, "Core Duo T2400 @
> 1.83GHz" says the System control panel.)

Hi!  Thanks for feedback, the culprit here is actually libgcrypt.

> I've read over the old threads on this phenomenon, so I appreciate
> that the problem is at least known.  My questions are:
> - Is this something that's likely to be ever fixed?  If so, can I help out?

The problem is that libgcrypt is slow to gather entropy under Windows,
and that should very much be fixable if someone sits down and work on
it.  The reason this has probably taken so long is that it is easy to
make the code faster, but difficult to maintain security.  So I think
the patches that have been proposed so far simply do not lead to the
same amount of entropy being available.  That's bad, and such patches
are not likely to be accepted by the libgcrypt folks.

> - Otherwise, what's the best way to temporarily work around this?
> (http://josefsson.org/gnutls4win/ links to
> http://www.securitypunk.com/libgcrypt/ but that site appears to be
> down.)

Maybe some web archive site still carry their patch and pre-built DLL...
however, I think it is unclear whether their patch leads to the same
amount of good entropy, that's why it hasn't been approved.

> I suppose I can deal with a very slow startup on Windows with the
> final release, but while I'm debugging it's killing me to have to wait
> each time I run...

I think you can tell libgcrypt to not bother gathering entropy, by:

      gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);

There is some ordering issue here, and I don't recall whether you need
to call that before or after you initialize libgcrypt (via

Does this work?  If so, I'll add it to the GnuTLS4Win page, it may help
others in your situation.


More information about the Gnutls-help mailing list